Professional Documents
Culture Documents
Iam Usermanual
Iam Usermanual
User Guide
Issue 21
Date 2021-09-02
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective
holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and
the customer. All or part of the products, services and features described in this document may not be
within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,
information, and recommendations in this document are provided "AS IS" without warranties, guarantees
or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Contents
5 Permissions............................................................................................................................. 34
5.1 Basic Concepts....................................................................................................................................................................... 34
5.2 Roles.......................................................................................................................................................................................... 35
5.3 Policies...................................................................................................................................................................................... 37
5.3.1 Policy Content..................................................................................................................................................................... 37
5.3.2 Policy Syntax....................................................................................................................................................................... 37
5.3.3 Authentication Process.................................................................................................................................................... 43
5.4 Change to the System-Defined Policy Names............................................................................................................ 44
5.5 Viewing Assignment Records............................................................................................................................................ 49
5.6 Custom Policies...................................................................................................................................................................... 50
5.6.1 Creating a Custom Policy................................................................................................................................................50
5.6.2 Modifying or Deleting a Custom Policy..................................................................................................................... 56
5.6.3 Custom Policy Use Cases................................................................................................................................................ 57
5.6.4 Cloud Services Supported by IAM................................................................................................................................ 59
6 Projects.................................................................................................................................... 61
7 Agencies...................................................................................................................................64
7.1 Account Delegation.............................................................................................................................................................. 64
7.1.1 Delegating Resource Access to Another Account...................................................................................................64
7.1.2 Creating an Agency (by a Delegating Party)........................................................................................................... 65
7.1.3 (Optional) Assigning Permissions to an IAM User (by a Delegated Party).................................................. 67
7.1.4 Switching Roles (by a Delegated Party).................................................................................................................... 69
7.2 Cloud Service Delegation................................................................................................................................................... 70
8 Security Settings.................................................................................................................... 72
8.1 Security Settings Overview................................................................................................................................................ 72
8.2 Basic Information.................................................................................................................................................................. 74
8.3 Critical Operation Protection............................................................................................................................................ 75
8.4 Login Authentication Policy.............................................................................................................................................. 83
8.5 Password Policy..................................................................................................................................................................... 84
8.6 ACL............................................................................................................................................................................................. 86
9 Identity Providers.................................................................................................................. 87
9.1 Introduction............................................................................................................................................................................ 87
9.2 SAML-based Federated Identity Authentication........................................................................................................ 89
9.2.1 Configuration of SAML-based Federated Identity Authentication................................................................... 90
9.2.2 Step 1: Create an Identity Provider............................................................................................................................. 92
9.2.3 Step 2: Configure Identity Conversion Rules............................................................................................................ 97
9.2.4 (Optional) Step 3: Configure Login Link in the Enterprise Management System....................................101
9.3 OpenID Connect–based Federated Identity Authentication................................................................................ 101
9.3.1 Configuration of OpenID Connect–based Federated Identity Authentication...........................................101
9.3.2 Step 1: Create an Identity Provider........................................................................................................................... 103
9.3.3 Step 2: Configure Identity Conversion Rules......................................................................................................... 106
9.3.4 (Optional) Step 3: Configure Login Link in the Enterprise Management System....................................110
9.4 Syntax of Identity Conversion Rules............................................................................................................................ 111
13 Quotas................................................................................................................................. 138
Intended Audience
The Identity and Access Management (IAM) service is intended for administrators,
including:
● Account administrator (with full permissions for all services, including IAM)
● IAM users added to the admin group (with full permissions for all services,
including IAM)
● IAM users assigned the Security Administrator role (with permissions to
access IAM)
If you want to view, audit, and track the records of key operations performed on
IAM, enable Cloud Trace Service (CTS). For details, see Enabling CTS.
Step 2 On the management console, hover the mouse pointer over the username in the
upper right corner, and choose Identity and Access Management from the drop-
down list.
----End
Account
An account is created after you successfully register with HUAWEI CLOUD. Your
account has full access permissions for your resources and makes payments for
the use of these resources. You cannot modify or delete your account in IAM, but
you can do so in My Account.
After you log in to your account, you will see a user marked Enterprise
administrator on the Users page of the IAM console.
IAM User
You and other administrators can create IAM users in IAM and assign permissions
for specific resources. As shown in the following figure, James is an IAM user
created by an administrator. IAM users can log in to HUAWEI CLOUD using their
account name, username, and password, and then use resources based on
assigned permissions. IAM users do not own resources and cannot make
payments.
User Group
You can use user groups to assign permissions to IAM users. By default, new IAM
users do not have permissions. To assign permissions to new users, add them to
one or more groups, and grant permissions to these groups. The users then inherit
permissions from the groups to which the users belong, and can perform specific
operations on cloud services.
The default user group admin has all permissions required to use all of the cloud
resources. Users in this group can perform operations on all the resources,
including but not limited to creating user groups and users, modifying
permissions, and managing resources.
Permission
IAM provides common permissions of different services, such as administrator and
read-only permissions, which you can assign to users. By default, new IAM users
do not have permissions. To assign permissions to new users, add them to one or
more groups, and assign permissions policies or roles to these groups. The users
then inherit permissions from the groups to which the users belong, and can
perform specific operations on cloud services.
● Roles: a type of coarse-grained authorization mechanism that defines service-
level permissions based on user responsibilities. There are only a limited
number of roles for granting permissions to users. When using roles to grant
permissions, you also need to assign dependency roles. Roles are not an ideal
choice for fine-grained authorization and secure access control.
● Policies: a type of fine-grained authorization mechanism that defines
permissions required to perform operations on specific cloud resources under
certain conditions. This mechanism allows for more flexible policy-based
authorization and secure access control. For example, you can grant Elastic
Cloud Server (ECS) users only the permissions required for managing a certain
type of ECS resources.
When an IAM user granted only ECS permissions accesses other services, a
message similar to the following will be displayed.
You can log in to HUAWEI CLOUD using any of the following methods (see Figure
2-1):
● Account login: Log in with the account that was created when you use
HUAWEI CLOUD for the first time. Your account has full access permissions
for your cloud resources and makes payments for the use of these resources.
To log in to HUAWEI CLOUD using an account, do as follows:
– HUAWEI ID: A HUAWEI ID is a unified identity that you can use to access
all Huawei services.
NOTE
Step 1 On the login page, click Huawei Website Account, as shown in the following
figure.
Next time you log in to the HUAWEI CLOUD console, you can use the name or
mobile number set in Step 2 for the HUAWEI CLOUD account.
----End
NOTE
If your HUAWEI CLOUD account has been upgraded to a HUAWEI ID, use the HUAWEI ID
to log in. For details, see Logging In Using a HUAWEI ID.
Step 1 On the login page, click HUAWEI CLOUD Account, as shown in Figure 2-3.
----End
Step 1 Click IAM User on the login page, and then enter your account name, IAM user
name/email address, and password.
● Tenant name or HUAWEI CLOUD account name: The name of the account
that was used to create the IAM user, that is, the HUAWEI CLOUD account.
You can obtain the account name from the administrator.
● IAM user name or email address: The username or email address of the IAM
user. You can obtain the username and password from the administrator.
● IAM user password: The password of the IAM user (not the password of the
account).
----End
You can log in to HUAWEI CLOUD as a federated user if you have obtained the
name of your identity provider, the HUAWEI CLOUD account used to create the
identity provider, and the username and password for logging in to your enterprise
management system.
Step 1 On the HUAWEI CLOUD login page, click Federated User, enter the account
name, and select an identity provider.
● HUAWEI CLOUD account name or tenant name: The name of the HUAWEI
CLOUD account used to create the identity provider. You can obtain the
account name from the administrator.
● Identity provider: The name of the identity provider created by the
administrator. You can obtain the identity provider name from the
administrator.
Step 2 Click Log In. The login page of the enterprise management system is displayed.
Step 3 Enter your username and password for accessing the enterprise management
system.
----End
3 IAM Users
NOTE
If you delete a user and create a new user with the same name, you need to grant the
required permissions to the new user again.
The default user group admin has all permissions required to use all of the cloud
resources. Users in this group can perform operations on all the resources,
including but not limited to creating user groups and users, modifying
permissions, and managing resources.
Procedure
Step 1 Log in to the IAM console as an administrator.
Step 2 On the IAM console, choose Users from the navigation pane, and click Create
User in the upper right corner.
Step 3 Specify the user information on the Create User page. To create more users, click
Add User. You can add a maximum of 10 users at a time.
NOTE
● You cannot bind the mobile number and email address associated with your account to
IAM users.
● Users who have access to the management console can log in to HUAWEI CLOUD using
their username, email address, or mobile number.
● If users forget their password, they can reset it through email address or mobile number
verification. If no email address or mobile number has been bound to the users, they
need to request the administrator to reset their password.
– If an IAM user accesses cloud services only by using the management console,
specify the access type as Management console access and the credential type as
Password.
– If the user accesses cloud services only through programmatic calls, specify the
access type as Programmatic access and the credential type as Access key.
– If the user needs to use a password as the credential for programmatic access
to certain APIs, specify the access type as Programmatic access and the credential
type as Password.
– If the user needs to perform access key verification when using certain services in
the console, specify the access type as "Programmatic access + Management
console access" and the credential type as "Access Key + Password". For example,
the user needs to perform access key verification when creating a data migration
job in the Cloud Data Migration (CDM) console.
Access key After you create the user, you can download the access
key (AK/SK) generated for the user.
Each user can have a maximum of two access keys.
Pass Set now Set a password for the user and determine whether to
wor require the user to reset the password at first login.
d If you are the user, select this option and set a
password for login. You do not need to select Require
password reset at first login.
Step 5 (Optional) Click Next and add the user to one or more user groups.
● The user will inherit the permissions assigned to the user groups to which the
user belongs.
● You can also create new groups as required.
NOTE
● If the user will be an administrator, add the user to the default group admin.
● You can add a user to a maximum of 10 user groups.
----End
● Tenant name or HUAWEI CLOUD account name: The name of the account
that was used to create the IAM user, that is, the HUAWEI CLOUD account.
You can obtain the account name from the administrator.
● IAM user name or email address: The username or email address of the IAM
user. You can obtain the username and password from the administrator.
● IAM user password: The password of the IAM user (not the password of the
account).
Step 2 Click Log In.
NOTE
● If you have not been added to any group, you do not have permissions for accessing any
cloud services. In this case, contact the administrator and request for required
permissions (see Creating a User Group and Assigning Permissions and Adding Users
to or Removing Users from a User Group).
● If you have been added to the default group admin, you have administrator permissions
and you can perform all operations on all cloud services.
----End
Step 1 Obtain the IAM user login link from the administrator.
Step 2 Paste the link into the address bar of a browser, press Enter, and enter the IAM
user name/email address and password, and click Log In.
----End
To change the columns of the user list, click . The Username and Operation
columns are displayed by default, and the Status column cannot be removed. You
can also select Description, Last Login, Created, Access Type, Virtual MFA
Status, Password Age, and Access Key (Status, Age, and AK).
Basic Information
You can view the basic information, including the name, ID, creation time, status,
access type, and description of each IAM user. The username, user ID, and creation
time cannot be modified.
● Status: New IAM users are enabled by default. You can set Status to
Disabled to disable an IAM user. The user is no longer able to log in to
HUAWEI CLOUD through the management console or programmatic access.
● Access Type: Change the access type of the IAM user.
NOTE
● Pay attention to the following when you set the access type of an IAM user:
● If the user accesses cloud services only by using the management console,
specify the access type as Management console access and the credential
type as Password.
● If the user accesses cloud services only through programmatic calls, specify
the access type as Programmatic access and the credential type as Access
key.
● If the user needs to use a password as the credential for programmatic
access to certain APIs, specify the access type as Programmatic access and
the credential type as Password.
● If the user needs to perform access key verification when using certain
services in the console, specify the access type as "Programmatic access +
Management console access" and the credential type as "Access Key +
Password". For example, the user needs to perform access key verification
when creating a data migration job in the Cloud Data Migration (CDM)
console.
● If the access type of the user is Programmatic access or "Programmatic access +
Management console access", deselecting Programmatic access will restrict the
user's access to HUAWEI CLOUD. Exercise caution when performing this operation.
● Description: Modify the description of the IAM user.
User Groups
An IAM user inherits permissions from the groups to which the user belongs. To
change the permissions of an IAM user, you need to change the groups to
which the user belongs. To modify the permissions of a user group, see Viewing
or Modifying User Group Information.
Your account belongs to the default group admin, which cannot be changed.
● Click Add to User Groups, and select one or more groups to which the user
will belong. The user then inherits permissions of these groups.
● To cancel the permissions of the user in a user group, click on the right of
the group, and click OK.
The mobile number and email address of the IAM user cannot be the same as
those of your account or other IAM users.
– Remove the MFA device from the user. For more information about MFA
authentication and virtual MFA device, see MFA Authentication and
Virtual MFA Device.
● Login Credentials: You can change the login password of the IAM user. For
more information, see Changing the Login Password of an IAM User.
● Login Protection: You can change the login verification method of the IAM
user. Three verification methods are available: virtual MFA device, SMS, and
email.
This option is disabled by default. If you enable this option, the user will need
to enter a verification code in addition to the username and password when
logging in to the console.
● Access Keys: You can manage access keys of the IAM user. For more
information, see Managing Access Keys for an IAM User.
Permissions Assigned
View or delete permissions of IAM users. To modify permissions of IAM users, see
User Groups.
To view all permission assignment records under your account, see Viewing
Assignment Records.
NOTE
Deleting the permissions of an IAM user will delete the permissions assigned to the group
to which the user belongs. All users in the group will no longer have the permissions.
Exercise caution when performing this operation.
CAUTION
If an IAM user is deleted, all data of the user will be deleted and cannot be
recovered. Exercise caution when performing this operation. If you only want to
remove an IAM user from a user group, see Adding Users to or Removing Users
from a User Group.
Procedure
Step 1 Log in to the IAM console. In the navigation pane, choose Users.
Step 2 Click Delete in the row containing the IAM user you want to delete, and click Yes.
----End
NOTE
● The Security Settings tab page is used for resetting the password of an IAM user.
● If IAM users remember their passwords, they can change the passwords on the Basic
Information tab page. If you want to change the password of your account, see How
Do I Change My Password?
● Set by user: The user clicks the one-time login URL received by email and sets
a new password.
● Automatically generated: Download the password file and provide the
automatically generated password to the user.
● Set now: Set a new password for the user and provide the password to the
user.
NOTE
● If a user is authorized to use the console, the user can manage access keys on the My
Credentials page.
● Access keys are identity credentials used to call APIs. The account administrator and
IAM users can only use their own access keys to call APIs.
● Creating an access key
a. Click Create Access Key.
NOTE
Access keys have unlimited validity, and each user can have a maximum of two access
keys. For security purposes, change the access keys of IAM users periodically.
b. Enter the verification code or password.
c. Click OK. An access key is automatically generated. Download the access
key and provide it to the user.
● Deleting an access key
a. In the access key list, click Delete in the row containing the access key to
be deleted.
b. Enter the verification code or password.
c. Click Yes.
● Enabling/Disabling an access key
New access keys are enabled by default. To disable an access key, perform the
following steps:
a. In the access key list, click Disable in the row containing the access key
you want to disable.
b. Enter the verification code or password, and click Yes.
The method of enabling an access key is similar to that of disabling an access
key.
Prerequisites
Before creating a user group, complete the following operations:
● Understand the basic concepts of permissions.
● Plan the permissions required for the user group. Table 4-1 shows the
permissions of IAM. For the permissions of other services, see System
Permissions.
● Check whether the roles you will attach to the user group have dependencies.
For more information, see Assigning Dependency Roles.
Step 3 Specify the scope. If you select Region-specific projects, select one or more
projects in the drop-down list.
● Global service project: Services deployed without specifying physical regions
are called global services, such as Object Storage Service (OBS), Content
Delivery Network (CDN), and Tag Management Service (TMS). Permissions
for these services must be assigned in the global service project.
● Region-specific projects: Services deployed in specific regions are called
project-level services. Permissions for these services need to be assigned in
region-specific projects and take effect only for the corresponding regions.
– All projects: Permissions take effect for both the global service project
and region-specific projects, including projects created later.
– Specific projects: Permissions take effect only for the region-specific
projects you select.
NOTE
If the permissions you select have dependencies, the system automatically selects all the
dependency permissions. Click View Selected or expand the details area to view the
dependency permissions.
----End
Table 4-2 lists the common permissions. For the complete list of service-specific
permissions, see System Permissions.
NOTE
● If you add a user to multiple groups, the user will inherit all the permissions that have
been assigned to the groups.
● For more information about permissions management, see Assigning Permissions to
O&M Personnel, Assigning Dependency Roles, and Custom Policy Use Cases.
Step 2 In the Manage User dialog box, select the usernames to be added.
----End
----End
NOTE
● Modifying the permissions of a user group affects the permissions of all users in the
user group. Exercise caution when performing this operation.
● Permissions of the default user group admin cannot be modified.
1. Choose User Groups in the navigation pane, click Manage Permissions in the
row that contains the target user group, click the Permissions Assigned tab,
and view the group's permissions.
2. Click Delete in the row that contains the role or policy you want to delete.
3. Click Yes.
4. On the Permissions Assigned tab page, click Assign.
If a user group name has been configured in the identity conversion rules of an identity
provider, modifying the user group name will cause the identity conversion rules to fail.
Exercise caution when performing this operation.
Managing Users
1. In the user group list, click Manage User in the row containing the user group
you want to modify.
2. In the Available Users area, select users you want to add to the user group.
3. In the Selected Users area, remove users from the user group.
NOTE
For the default group admin, you can only manage its users and cannot modify its
description or permissions.
Step 1 Log in to the IAM console. In the navigation pane, choose User Groups.
Step 2 Click the name of the user group to go to the group details page.
Step 3 On the Permissions Assigned tab page, click Delete in the row that contains the
role or policy you want to delete.
----End
Procedure
Step 1 Search for the role that you want to attach to a user group.
Step 2 Select the desired role. The system automatically selects the dependency roles.
For example, the DNS Administrator role contains the Depends parameter which
specifies the dependency roles. When you assign the DNS Administrator role to a
user group, you also need to assign the Tenant Guest and VPC Administrator
roles to the group for the same project.
Step 4 Click OK.
----End
5 Permissions
Basic Concepts
Roles
Policies
Change to the System-Defined Policy Names
Viewing Assignment Records
Custom Policies
Permission Type
You can grant users permissions by using roles and policies.
● Roles: a type of coarse-grained authorization mechanism that defines service-
level permissions based on user responsibilities. There are only a limited
number of roles for granting permissions to users. When using roles to grant
permissions, you also need to assign dependency roles. Roles are not an ideal
choice for fine-grained authorization and secure access control.
● Policies: a type of fine-grained authorization mechanism that defines
permissions required to perform operations on specific cloud resources under
certain conditions. This mechanism allows for more flexible policy-based
authorization and secure access control. For example, you can grant ECS users
only the permissions required for managing a certain type of ECS resources.
IAM supports both system-defined policies and custom policies.
System-Defined Policy
A system-defined policy defines the common actions of a cloud service. System-
defined policies can be used to assign permissions to user groups, and cannot be
modified. For details about the system-defined policies of all cloud services,
see System Permissions.
If you need to assign permissions for a specific service to a user group or agency
on the IAM console but cannot find corresponding policies, it indicates that the
service does not support permissions management through IAM. Please submit a
service ticket and request that permissions for the service be made available in
IAM.
Custom Policy
You can create custom policies using the actions supported by cloud services and
use custom policies to supplement system-defined policies for more refined access
control. You can create custom policies in the visual editor or in JSON view.
5.2 Roles
Roles are a type of coarse-grained authorization mechanism that defines service-
level permissions based on user responsibilities. There are only a limited number
of roles for granting permissions to users.
HUAWEI CLOUD services interwork with each other. Roles of some services take
effect only if they are assigned along with roles of other services. For more
information, see Assigning Dependency Roles.
Role Content
When assigning permissions, select a role and click to view the details of the
role. This section uses the DNS Administrator role as an example to describe the
syntax.
{
"Version": "1.0",
"Statement": [
{
"Action": [
"DNS:Zone:*",
"DNS:RecordSet:*",
"DNS:PTRRecord:*"
],
"Effect": "Allow"
}
],
"Depends": [
{
"catalog": "BASE",
"display_name": "Tenant Guest"
},
{
"catalog": "VPC",
"display_name": "VPC Administrator"
}
]
}
Parameter Description
5.3 Policies
{
"Version": "1.1",
"Statement": [
{
"Action": [
"iam:*:get*",
"iam:*:list*",
"iam:*:check*"
],
"Effect": "Allow"
}
]
}
"g:MFAPresent": [
"true"
]
}
},
"Resource": [
"obs:*:*:bucket:*"
]
}
]
}
Policy Structure
A policy consists of a version and statements. Each policy can have multiple
statements.
Policy Parameters
Policy parameters include Version and Statement, which are described in the
following table. You can create custom policies using the parameters, for different
scenarios. For details, see Custom Policy Use Cases.
● Condition key
A condition key is a key in the Condition element of a statement. There are
global and service-level condition keys.
– Global condition keys (starting with g:) apply to all operations. IAM
provides common global condition keys and special global condition
keys.
● Operator
An operator (see Operators), a condition key, and a condition value together
constitute a complete condition statement. A policy takes effect only when its
request conditions are met. The operator suffix IfExists indicates that a policy
takes effect if a request value is empty or meets the specified condition. For
example, if the operator StringEqualsIfExists is selected for a policy, the
policy takes effect if a request value is empty or equal to the specified
condition value.
Table 5-5 Operators (String operators are not case-sensitive unless otherwise
specified.)
StringNotStartWi String The request value does not start with the
th condition value.
StringNotEndWit String The request value does not end with the
h condition value.
StringNotStartWi String The request value does not start with any of
thAnyOf the configured condition values.
StringNotEndWit String The request value does not end with any of
hAnyOf the configured condition values.
CS CS Admin CS FullAccess
CS Viewer CS ReadOnlyAccess
CS User CS CommonOperations
Permissions for IAM projects are granted to user groups. The IAM project permissions
assigned to an IAM user are the permissions of the group to which the user belongs.
● IAM project/Enterprise project: Specify a permission scope. If you select
Enterprise project and enter a project name, the enterprise project view is
displayed. To view assignment records of IAM project permissions, select the
following options:
● Policy/Role name:
To view the assignment records of a policy or role, select Policy/Role name,
and enter a name. For details about the cloud service permissions supported
by enterprise projects, see System Permissions.
● Username/User group name/Agency name:
To view the enterprise project permissions assigned to a specific IAM user or
user group, select Username or User group name, and enter a name.
NOTE
● Visual editor: Select a cloud service, specify actions and resources, and add
request conditions. You do not need to have knowledge of JSON syntax.
● JSON: Create a policy in the JSON format from scratch or based on an existing
policy.
Step 4 Select a scope based on the type of services related to this policy. For more
information about service types, see System Permissions.
● Global services: Select this option if the services to which the policy is related
must be deployed in the Global region. When creating custom policies for
globally deployed services, specify the scope as Global services. Custom
policies of this scope must be attached to user groups for the global service
project.
● Project-level services: Select this option if the services to which the policy is
related must be deployed in specific regions. When creating custom policies
for regionally deployed services, specify the scope as Project-level services.
Custom policies of this scope must be attached to user groups for specific
projects except the global service project.
For example, when creating a custom policy containing the action
evs:volumes:create for EVS, specify the scope as Project-level services.
NOTE
A custom policy can contain actions of multiple services that are globally accessible or
accessible through region-specific projects. To define permissions required to access both
global and project-level services, create two custom policies and specify the scope as
Global services and Project-level services respectively.
Only one cloud service can be selected for each permission block. To configure
permissions for multiple cloud services, click Add Permissions, or switch to the JSON
view (see Creating a Custom Policy in JSON View).
3. Select actions.
4. (Optional) Select all resources, or select specific resources by specifying their
paths.
Cloud services that allow authorization for specific resources include: Object
Storage Service (OBS), Intelligent EdgeFabric (IEF), Data Lake Insight (DLI),
Graph Engine Service (GES), FunctionGraph, Distributed Message Service
(DMS), IoT Device Access (IoTDA), Key Management Service (KMS),
Autonomous Driving Cloud Service (Octopus), and Data Warehouse Service
(DWS). For details, see Cloud Services Supported by IAM.
Step 7 (Optional) Switch to the JSON view and modify the policy content in the JSON
format.
NOTE
If the modified policy content is incorrect, check and modify the content again, or click
Reset to cancel the modifications.
Step 8 (Optional) To add another permission block for the policy, click Add Permissions.
Alternatively, click the plus (+) icon on the right of an existing permission block to
clone its permissions.
Step 11 Attach the policy to a user group. Users in the group then inherit the permissions
defined in this policy.
NOTE
You can attach custom policies to a user group in the same way as you attach system-
defined policies. For details, see Creating a User Group and Assigning Permissions.
----End
Step 2 On the IAM console, choose Permissions from the navigation pane, and click
Create Custom Policy in the upper right corner.
Step 4 Select a scope based on the type of services related to this policy. For more
information about service types, see System Permissions.
● Global services: Select this option if the services to which the policy is related
must be deployed in the Global region. When creating custom policies for
globally deployed services, specify the scope as Global services. Custom
policies of this scope must be attached to user groups for the global service
project.
● Project-level services: Select this option if the services to which the policy is
related must be deployed in specific regions. When creating custom policies
for regionally deployed services, specify the scope as Project-level services.
Custom policies of this scope must be attached to user groups for specific
projects except the global service project.
For example, when creating a custom policy containing the action
evs:volumes:create for EVS, specify the scope as Project-level services.
NOTE
A custom policy can contain actions of multiple services that are globally accessible or
accessible through region-specific projects. To define permissions required to access both
global and project-level services, create two custom policies and specify the scope as
Global services and Project-level services respectively.
NOTE
You can attach custom policies to a user group in the same way as you attach system-
defined policies. For details, see Creating a User Group and Assigning Permissions.
----End
Only custom policies that are not attached to any user groups or agencies can be deleted. If
a custom policy has been attached to certain user groups or agencies, detach the policy and
then delete it.
1. In the navigation pane of the IAM console, choose Permissions. Then select
Custom policy from the filter criteria drop-down list.
2. In the row containing the custom policy you want to delete, click Delete.
3. Click Yes.
NOTE
● Action: Operations to be performed. Each action must be defined in the format "Service
name:Resource type:Operation".
For example, cts:*:* refers to permissions for performing all operations on all resource
types of CTS.
● Effect: Determines whether to deny or allow the operation.
Example policy forbidding users whose names start with TestUser from
viewing buckets whose names start with TestBucket:
{
"Version": "1.1",
"Statement": [
{
"Effect": "Deny",
"Action": [
"obs:bucket:ListAllMybuckets",
"obs:bucket:HeadBucket",
"obs:bucket:ListBucket",
"obs:bucket:GetBucketLocation"
],
"Resource": [
"obs:*:*:bucket:TestBucket*"
],
"Condition": {
"StringStartWith": {
"g:UserName": [
"TestUser"
]
}
}
}
]
}
NOTE
Currently, only certain cloud services (such as OBS) support resource-based authorization.
For services that do not support this function, you cannot create custom policies containing
resource types.
● The following is an example policy that allows only IAM users whose names
start with TestUser to delete all objects in the my-object directory of the
bucket my-bucket.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"obs:object:DeleteObject"
],
"Resource": [
"obs:*:*:object:my-bucket/my-object/*"
],
"Condition": {
"StringStartWith": {
"g:UserName": [
"TestUser"
]
}
]
}
● The following is an example policy that allows access to all services except
ECS, EVS, VPC, ELB, AOM, and APM.
{
"Version": "1.1",
"Statement": [
{
"Effect": "Allow"
"Action": [
"*:*:*"
],
},
{
"Action": [
"ecs:*:*",
"evs:*:*",
"vpc:*:*",
"elb:*:*",
"aom:*:*",
"apm:*:*"
],
"Effect": "Deny"
}
]
}
The following table lists the cloud services that support resource-level
authorization and the supported resource types.
Table 5-10 Cloud services that support resource-level authorization and the
supported resource types
deployment Deployment
trigger Trigger
6 Projects
You can use projects to group and isolate resources (including compute, storage,
and network resources) across physical regions. A default project is provided for
each region, and you can create subprojects under each default project. You can
grant permissions to users for accessing resources in specific projects.
For more refined access control, create subprojects under a project and purchase
resources in the subprojects. IAM users can be assigned permissions to access only
specific resources in the subprojects.
IAM projects are different from enterprise projects. For more information, see
Differences Between IAM Projects and Enterprise Projects.
NOTE
Creating a Project
Step 1 On the IAM console, choose Projects from the navigation pane, and click Create
Project.
● The project name will be in the format "Name of the default project for the selected
region_Custom project name". The name of default projects cannot be modified.
● The project name can only contain letters, digits, hyphens (-), and underscores (_). The
total length of the project name cannot exceed 64 characters.
----End
Step 1 In the user group list, click Manage Permissions in the row containing the user
group.
Step 2 On the Permissions Assigned tab page, click Assign above the permission list.
Step 3 Specify the authorization scope. If you select Region-specific projects, select one
or more projects in the drop-down list.
NOTE
For more information about permissions assignment, see Creating a User Group and
Assigning Permissions.
----End
----End
7 Agencies
Account Delegation
Cloud Service Delegation
NOTE
You can delegate resource access only to HUAWEI CLOUD accounts. The accounts can then
delegate access to IAM users under them.
The following is the procedure for delegating access to resources in one account to
another account. Account A is the delegating party and account B is the delegated
party.
Step 1 Account A creates an agency in IAM to delegate resource access to account B.
----End
Prerequisites
Before creating an agency, complete the following operations:
● Understand the basic concepts of permissions.
Procedure
Step 1 Log in to the IAM console.
Step 2 On the IAM console, choose Agencies from the navigation pane, and click Create
Agency in the upper right corner.
Step 3 Enter an agency name.
Step 4 Specify the agency type as Account, and enter the name of a HUAWEI CLOUD
account.
NOTE
Step 5 Set the validity period and enter a description for the agency.
Step 6 Click Next.
Step 7 Set the authorization scope, and select the permissions you want to grant to the
agency.
NOTE
After creating an agency, provide your account name, agency name, agency ID, and agency
permissions to the delegated party. The delegated party can then switch the role to your
account and manage specific resources.
----End
Related Operations
● Modifying an agency
To modify the permissions, validity period, and description of an agency, click
Modify in the row containing the agency.
● Deleting an agency
To delete an agency, click Delete in the row containing the agency and click
Yes.
NOTE
After you delete an agency, all permissions granted to the delegated account will be
cancelled.
Prerequisites
● A trust relationship has been established between another account and your
account.
● You have obtained the name of the delegating account and the name and ID
of the created agency.
Procedure
Step 1 Create a custom policy.
NOTE
This step is used to create a policy containing permissions required to manage resources for
a specific agency. If you want to authorize an IAM user to manage resources for all
agencies, go to Step 2.
NOTE
– Custom policy: Allows a user to manage resources only for a specific agency.
– Agent Operator role: Allows a user to manage resources for all agencies.
7. Click OK.
Step 3 Create an IAM user and add the user to the user group.
1. On the Users page, click Create User.
2. On the Create User page, enter a username.
3. For the access type, select Management console access and Set by user.
After the permissions assignment is complete, the IAM user can switch to the account
of the delegating party and manage specific resources under the account.
----End
Related Operations
The delegated account or the authorized IAM users can switch their roles to the
delegating account to view and use its resources.
Prerequisites
● A trust relationship has been established between another account and your
account.
● You have obtained the name of the delegating account and the agency name.
Procedure
Step 1 Log in to the HUAWEI CLOUD console using your account or log in as the IAM
user created in Step 3 of (Optional) Assigning Permissions to an IAM User (by
a Delegated Party).
NOTE
The IAM user created in Step 3 of (Optional) Assigning Permissions to an IAM User (by
a Delegated Party) can switch roles to manage resources for the delegating party.
Step 2 Hover the mouse pointer over the username in the upper right corner and choose
Switch Role.
Step 3 On the Switch Role page, enter the account name of the delegating party.
NOTE
If an agency other than the agencies created by the delegating party is displayed, it
indicates that you do not have access permissions. Select the correct agency in the Agency
Name drop-down list.
----End
Follow-Up Procedure
To return to your own account, hover the mouse pointer over the username in the
upper right corner, choose Switch Role, and select your account.
Step 4 Select the Cloud service agency type, and then select a service.
Step 6 (Optional) Enter a description for the agency. For example, "GES agency granted
the KMS Administrator role".
Step 8 Set Scope to Global service project, select Tenant Administrator, and click OK.
Step 9 On the agency details page, click the Permissions Assigned tab, click Assign, set
Scope to Region-specific projects, select a project, and then select the Tenant
Administrator role.
----End
Related Operations
● Modifying an agency
To change the permissions of a cloud service agency, click Modify in the row
containing the agency.
NOTE
● You can change the cloud service, validity period, description, and permissions of
cloud service agencies, but you cannot change the agency name and type.
● Modifying the permissions may affect the usage of certain functions of cloud
services. Exercise caution when performing this operation.
● Deleting an agency
To delete an agency, click Delete in the row containing the agency and click
Yes.
8 Security Settings
Intended Audience
Table 8-1 lists the intended audience of different functions provided on the
Security Settings page and their access permissions for the functions.
● As an administrator, you can also access the Security Settings page from
the IAM console.
a. Log in to HUAWEI CLOUD and click Console in the upper right corner.
c. On the IAM console, choose Security Settings from the navigation pane.
NOTE
Step 2 Click the Basic Information tab, and click Change next to Login Password.
Step 3 Select email address or mobile number verification, and enter the verification
code.
NOTE
The two verification modes are available only if you have bound an email address and a
mobile number.
Step 4 Enter the old password and new password, and enter the new password again.
NOTE
● The password cannot be the username or the username spelled backwards. For
example, if the username is A12345, the password cannot be A12345, a12345, 54321A,
or 54321a.
● To prevent password cracking, the administrator can configure the password policy to
define password requirements, such as minimum password length. For details, see
Password Policy.
NOTE
You can associate only one mobile number, email address, and virtual MFA device with your
user account.
----End
NOTE
Federated users do not need to verify their identity when performing critical operations.
The following procedure details how to bind a virtual MFA device. To learn how to
unbind or remove a virtual MFA device, see Virtual MFA Device.
NOTE
Before binding a virtual MFA device, ensure that you have installed an MFA application
(such as an authenticator app) on your mobile device.
Step 2 Click the Critical Operations tab, and click Bind next to Virtual MFA Device.
Step 3 Set up the MFA application by scanning the QR code or manually entering the
secret key.
You can bind a virtual MFA device to your account by scanning the QR code or
entering the secret key.
NOTE
The manual entry function is time-based. Ensure that automatic time setup has been
enabled on your mobile phone.
Step 4 View the verification code on the MFA application. The code is automatically
updated every 30 seconds.
Step 5 On the Bind Virtual MFA Device page, enter two consecutive verification codes
and click OK.
----End
Login Protection
After login protection is enabled, you and IAM users created using your account
will need to enter a verification code in addition to the username and password
during login. Enable this function for account security.
For the account, only the account administrator can enable login protection for it.
For IAM users, both the account administrator and other administrators can
enable this feature for the users.
After you enable login protection, IAM users need to perform identity verification
when they access HUAWEI CLOUD using the management console. The setting does
not apply if IAM users use programmatic access.
● Enabling login protection for your HUAWEI CLOUD account
Go to the Security Settings page, and click the Critical Operations tab. Click
Enable next to Login Protection, select a verification method, enter the
verification code, and click OK.
Operation Protection
● Enabling operation protection
After operation protection is enabled, you and IAM users created using your
account need to enter a verification code when performing a critical operation,
such as deleting an ECS. This function is enabled by default. To ensure resource
security, keep it enabled.
Step 2 Click the Critical Operations tab on the Security Settings page, click Enable next
to Operation Protection, select Enable, and click OK.
----End
If operation protection is disabled, you and IAM users created using your account
do not need to enter a verification code when performing a critical operation.
Step 2 Click the Critical Operations tab on the Security Settings page, and click Change
next to Operation Protection.
----End
NOTE
Critical Operations
The following tables list the critical operations of each cloud service that require
identity verification.
MapReduce ● Clusters
Service (MRS) – Deleting a cluster
– Changing a pay-per-use cluster to
yearly/monthly billing
– Stopping all components
– Synchronizing cluster configurations
● Nodes
– Stopping all roles
– Isolating a host
– Canceling isolation of a host
● Components
– Disabling a service
– Restarting a service
– Performing a rolling service restart
– Stopping a role instance
– Restarting a role instance
– Performing a rolling instance restart
– Recommissioning a role instance
– Decommissioning a role instance
– Saving service configurations
● Patches
– Installing a patch
– Uninstalling a patch
– Rolling back a patch
Session Timeout
Set the session timeout that will apply if you or users created using your account
do not perform any operations within a specific period.
The timeout ranges from 15 minutes to 24 hours, and the default timeout is 1
hour.
Account Lockout
Set a duration to lock users out if a specific number of unsuccessful login attempts
are reached within a certain period.
You can set the time for resetting the account lockout counter, maximum number
of unsuccessful login attempts, and account lock duration.
● Time for resetting the account lockout counter: The value ranges from 15 to
60 minutes, and the default value is 15 minutes.
● Maximum number of unsuccessful login attempts: The value ranges from 3 to
10, and the default value is 5.
● Lockout duration: The value ranges from 15 to 30 minutes, and the default
value is 15 minutes.
Account Disabling
Set a validity period to disable IAM users if they have not accessed HUAWEI
CLOUD using the console or APIs within a certain period.
This option is disabled by default. The validity period ranges from 1 to 240 days.
If you enable this option, the setting will take effect only for IAM users
created using your account. If an IAM user is disabled, the user can request the
administrator to enable their account again.
Custom Information
Set custom information that will be displayed upon successful login. For example,
enter the word Welcome.
No information is displayed by default, and the administrator can set custom
information that will be displayed.
You and all the IAM users created using your account will see the same
information upon successful login.
user can request the administrator to perform the modification or grant the
required permissions.
You can configure the password policy to ensure that IAM users create strong
passwords and rotate them periodically. In the password policy, you can define
password requirements, such as minimum password length, whether to allow
consecutive identical characters in a password, and whether to allow previously
used passwords.
Password Expiration
Set a validity period for passwords so that users change their passwords
periodically. The users will be prompted to change their passwords 15 days before
password expiration. Expired passwords cannot be used to log in to HUAWEI
CLOUD.
This option is disabled by default. The validity period ranges from 1 to 180 days.
The changes will take effect immediately for your account and all IAM users under
your account.
8.6 ACL
The ACL tab of the Security Settings page provides the IP Address Ranges, IPv4
CIDR Blocks, and VPC Endpoints settings for allowing user access only from
specified IP address ranges, IPv4 CIDR blocks, or VPC endpoints.
Only the administrator can configure the ACL, and IAM users cannot configure
the ACL. If an IAM user needs to configure the ACL, the user can request the
administrator to perform the configuration or grant the required permissions.
Access type:
● Console Access (recommended): The ACL will take effect only for IAM users
who are created using your account and have access to the console.
● API Access: The ACL will take effect for IAM users under your account two
hours after you complete the configuration, and controls the users' API access
through API Gateway. This function is available only for certain accounts.
NOTE
IP Address Ranges
Specify IP address ranges from 0.0.0.0 to 255.255.255.255 to allow access to
HUAWEI CLOUD. The default value is 0.0.0.0–255.255.255.255. If this parameter is
left blank or the default value is used, your IAM users can access the HUAWEI
CLOUD console from anywhere.
VPC Endpoints
Specify VPC endpoints, such as 0ccad098-b8f4-495a-9b10-613e2a5exxxx, to
allow API-based access to HUAWEI CLOUD.
NOTE
● User access is allowed if any of IP Address Ranges, IPv4 CIDR Blocks, and VPC
Endpoints is met.
● To restore IP Address Ranges to the default settings (0.0.0.0–255.255.255.255) and
clear the settings in IPv4 CIDR Blocks and VPC Endpoints, click Restore Defaults.
9 Identity Providers
Introduction
SAML-based Federated Identity Authentication
OpenID Connect–based Federated Identity Authentication
Syntax of Identity Conversion Rules
9.1 Introduction
HUAWEI CLOUD provides the identity provider function to implement federated
identity authentication based on Security Assertion Markup Language (SAML) or
OpenID Connect. This function allows users in your enterprise management
system to access HUAWEI CLOUD through single sign-on (SSO).
IAM supports two types of federated identity authentication:
● Web SSO: Browsers are used as the communication media. This
authentication type enables common users to access HUAWEI CLOUD using
browsers. You can implement SSO by using either of the following methods:
– Configure a login link in the enterprise management system. Users in
your enterprise can use the link to log in to HUAWEI CLOUD from the
enterprise management system.
– Provide the federated user login link to users in your enterprise. They
can log in to HUAWEI CLOUD using their accounts and passwords in the
enterprise management system.
● API calling: Development tools (such as OpenStack Client and ShibbolethECP
Client) are used as the communication media. This authentication type
enables enterprise users and common users to access HUAWEI CLOUD by
calling APIs.
This chapter describes how to access HUAWEI CLOUD through web SSO login. For
details about how to access HUAWEI CLOUD by calling APIs, see Federated
Identity Authentication Management.
Basic Concepts
● Identity Provider (IdP)
An identity provider collects and stores user identity information, such as
usernames and passwords, and authenticates users during login. For federated
identity authentication between an enterprise and HUAWEI CLOUD, the
identity authentication system of the enterprise is an identity provider and is
also called "enterprise IdP". Popular third-party IdPs include Microsoft Active
Directory (AD FS) and Shibboleth.
● Service Provider (SP)
A service provider establishes a trust relationship between an IdP and itself,
and uses the user information provided by the IdP to provide services. For
federated identity authentication between an enterprise and HUAWEI CLOUD,
HUAWEI CLOUD is a service provider.
● Federated identity authentication
Federated identity authentication is a process in which a trust relationship is
established between an IdP and SP to implement SSO.
● Single sign-on (SSO)
SSO is an access type that allows users to access a trusted SP after logging in
to the enterprise IdP. For example, after a trust relationship is established
between an enterprise management system and HUAWEI CLOUD, users in the
enterprise management system can use their existing accounts and passwords
to access HUAWEI CLOUD through the login link in the enterprise
management system.
● SAML 2.0
SAML 2.0 is an XML-based protocol that uses securityTokens containing
assertions to pass information about an end user between an IdP and an SP. It
is an open standard ratified by the Organization for the Advancement of
Structured Information Standards (OASIS) and is being used by many IdPs.
For more information about this standard, see SAML 2.0 Technical Overview.
HUAWEI CLOUD implements federated identity authentication in compliance
with SAML 2.0. To successfully federate existing users to HUAWEI CLOUD,
ensure that your enterprise IdP is compatible with this protocol.
● OpenID Connect
OpenID Connect is a simple identity layer on top of the Open Authorization
2.0 (OAuth 2.0) protocol. IAM implements federated identity authentication in
compliance with OpenID Connect 1.0. To successfully federate existing users
to HUAWEI CLOUD, ensure that your enterprise IdP is compatible with this
protocol. For more information about OpenID Connect, see Welcome to
OpenID Connect.
● OAuth 2.0
OAuth 2.0 is an open authorization protocol. The authorization framework of
this protocol allows third-party applications to obtain access permissions.
● Simplified operations
Users can log in to HUAWEI CLOUD through the enterprise management
system.
Precautions
● To implement federated identity authentication, ensure that your enterprise
IdP server and HUAWEI CLOUD use Greenwich Mean Time (GMT) time in the
same time zone.
● Federated users are virtual identities that your enterprise IdP maps to
HUAWEI CLOUD. The identity information of federated users is stored in the
enterprise IdP, so their access to HUAWEI CLOUD has the following
restrictions:
– Federated users cannot perform verification when performing critical
operations. The critical operation protection settings do not apply to
federated users.
– Federated users cannot create access keys with unlimited validity, but
they can obtain temporary access credentials (access keys and
securityTokens) using user or agency tokens. For details, see Obtaining a
Temporary Access Key and SecurityToken.
If a federated user needs an access key with unlimited validity, the user
can contact the account administrator or an IAM user to create one. An
access key contains the permissions granted to a user, so it is
recommended that the federated user request an IAM user in the same
group to create an access key.
CAUTION
2. Configure identity conversion rules: Map the users, user groups, and
permissions in the enterprise IdP to HUAWEI CLOUD (see Figure 9-3).
3. Configure a login link: Configure a login link (see Figure 9-4) in the
enterprise management system to allow users to access HUAWEI CLOUD
through SSO.
NOTE
To view interactive requests and assertions with a better experience, you are advised to use
Google Chrome and install the SAML Message Decoder plug-in.
1. A user uses a browser to open the login link of the identity provider, and then
the browser sends an SSO request to HUAWEI CLOUD.
2. HUAWEI CLOUD searches for a metadata file based on the login link, and
sends a SAML request to the browser.
3. The browser forwards the SAML request to the enterprise IdP.
4. The user enters their username and password on the login page displayed in
the enterprise IdP. After the enterprise IdP authenticates the user's identity, it
constructs a SAML assertion containing the user information, and sends the
assertion to the browser as a SAML response.
5. The browser responds and forwards the SAML response to HUAWEI CLOUD.
6. HUAWEI CLOUD parses the assertion in the SAML response, and issues a
token to the user after identifying the group to which the user is mapped,
according to the configured identity conversion rules.
7. If the login is successful, the user accesses HUAWEI CLOUD successfully.
NOTE
The assertion must carry a signature; otherwise, the login will fail.
Prerequisites
You have registered an account in HUAWEI CLOUD as an enterprise administrator,
and have created user groups and granted them permissions in IAM. For details,
see Creating a User Group and Assigning Permissions.
NOTE
The user groups created in IAM will be used to assign permissions to enterprise IdP users
mapped to HUAWEI CLOUD.
Step 2 Upload the metadata file to the enterprise IdP server. For details about how to
upload the metadata file, see the documentation of your enterprise IdP.
Step 3 Obtain the metadata file of the enterprise IdP. For details about how to obtain the
metadata file, see the documentation of your enterprise IdP.
----End
Step 1 Log in to the IAM console, choose Identity Providers from the navigation pane,
and click Create Identity Provider in the upper right corner.
Step 2 Specify the name, protocol, status, and description of the identity provider.
NOTE
----End
NOTE
For details about how to obtain the metadata file, see the documentation of the enterprise
IdP.
c. Click Upload. The metadata extracted from the uploaded file is displayed.
Click OK.
The following example shows the metadata file of an enterprise IdP and
the metadata information that needs to be completed during manual
configuration.
c. Click OK.
Federated users only have read permissions for HUAWEI CLOUD by default. To assign
permissions to federated users, configure identity conversion rules for the identity provider.
For more information, see Step 2: Configure Identity Conversion Rules.
----End
Related Operations
● Viewing identity provider information: In the identity provider list, click View
in the row containing the identity provider, and view its basic information,
metadata, and identity conversion rules.
NOTE
To modify the configurations of an identity provider, click Modify at the bottom of the
details page.
● Modifying an identity provider: In the identity provider list, click Modify in the
row containing the identity provider, and then change its status and modify
the description, metadata, and identity conversion rules.
● Deleting an identity provider: In the identity provider list, click Delete in the
row containing the identity provider, and click Yes.
Follow-Up Procedure
● In the Identity Conversion Rules area, configure identity conversion rules to
map enterprise management system users to IAM user groups and grant the
users permissions. For details, see Step 2: Configure Identity Conversion
Rules.
● Configure the enterprise management system to allow users to access
HUAWEI CLOUD through SSO. For details, see (Optional) Step 3: Configure
Login Link in the Enterprise Management System.
● Modifications to identity conversion rules will take effect only after federated users log
in again.
● To modify the permissions of a user, modify the permissions of the user group to which
the user belongs. Then restart the enterprise IdP for the modifications to take effect.
Prerequisites
An identity provider has been created, and the login link of the identity provider is
accessible. (For details about how to create and verify an identity provider, see
Step 1: Create an Identity Provider.)
Procedure
If you configure identity conversion rules by clicking Create Rule, IAM converts
the rule parameters to the JSON format. Alternatively, you can click Edit Rule to
configure rules in the JSON format. For details, see Syntax of Identity Conversion
Rules.
● Creating a Rule
a. Choose Identity Providers from the navigation pane.
b. In the identity provider list, click Modify in the row containing the
identity provider.
c. In the Identity Conversion Rules area, click Create Rule. Then, configure
the rule in the Create Rule dialog box.
▪ Username: FederationUser-IdP_admin
----End
Related Operations
Viewing identity conversion rules: Click View Rule on the Modify Identity
Provider page. The identity conversion rules are displayed in the JSON format. For
details about the JSON format, see Syntax of Identity Conversion Rules.
NOTE
If no login link has been configured in your enterprise management system, federated users
in your enterprise can log in to HUAWEI CLOUD through the HUAWEI CLOUD login page.
For details, see Logging In as a Federated User.
Prerequisites
● An identity provider has been created, and the login link of the identity
provider is accessible. (For details about how to create and verify an identity
provider, see Step 1: Create an Identity Provider.)
● The login link of the identity provider has already been configured in the
enterprise management system for logging in to HUAWEI CLOUD.
Procedure
Step 1 Log in to the IAM console, and choose Identity Providers from the navigation
pane.
Step 2 Click View in the row containing the identity provider.
Step 3 Click Copy next to the login link.
Step 4 Add the following statement to the page file of the enterprise management
system:
<a href="<Login link>"> HUAWEI CLOUD Login </a>
Step 5 Log in to the enterprise management system, and then click the configured
HUAWEI CLOUD login link to access HUAWEI CLOUD.
----End
6. HUAWEI CLOUD parses the ID token in the authorization response, and issues
a token to the user after identifying the group to which the user is mapped,
according to the configured identity conversion rules.
7. If the login is successful, the user accesses HUAWEI CLOUD successfully.
Prerequisites
You have registered an account in HUAWEI CLOUD as an enterprise administrator,
and have created user groups and granted them permissions in IAM. For details,
see Creating a User Group and Assigning Permissions.
NOTE
The user groups created in IAM will be used to assign permissions to enterprise IdP users
mapped to HUAWEI CLOUD.
The configurations vary depending on the enterprise IdP. For details about the required
configurations, see the documentation of the enterprise IdP.
----End
Step 1 Log in to the IAM console, choose Identity Providers from the navigation pane,
and click Create Identity Provider in the upper right corner.
Step 2 Enter an identity provider name, select OpenID Connect and Enabled, and click
OK.
NOTE
----End
Parameter Description
Signing Key Public key used to sign the ID token of the OpenID Connect
identity provider. For account security purposes, change
the signing key periodically.
----End
Step 2 Enter the username and password of a user that was created in the enterprise
management system.
● If the login is successful, add the login link to the enterprise management
system.
● If the login fails, check the username and password.
NOTE
Federated users only have read permissions for HUAWEI CLOUD by default. To assign
permissions to federated users, configure identity conversion rules for the identity provider.
For more information, see Step 2: Configure Identity Conversion Rules.
----End
Related Operations
● Viewing identity provider information: In the identity provider list, click View
in the row containing the identity provider, and view its basic information,
metadata, and identity conversion rules.
NOTE
To modify the configurations of an identity provider, click Modify at the bottom of the
details page.
● Modifying an identity provider: In the identity provider list, click Modify in the
row containing the identity provider, and then change its status and modify
the description, metadata, and identity conversion rules.
● Deleting an identity provider: In the identity provider list, click Delete in the
row containing the identity provider, and click Yes.
Follow-Up Procedure
● Configure identity conversion rules to map enterprise IdP users to IAM user
groups and grant the users permissions. For details, see Step 2: Configure
Identity Conversion Rules.
● Configure the enterprise management system to allow users to access
HUAWEI CLOUD through SSO. For details, see (Optional) Step 3: Configure
Login Link in the Enterprise Management System.
NOTE
● Modifications to identity conversion rules will take effect only after federated users log
in again.
● To modify the permissions of a user, modify the permissions of the user group to which
the user belongs. Then restart the enterprise IdP for the modifications to take effect.
Prerequisites
An identity provider has been created, and the login link of the identity provider is
accessible. (For details about how to create and verify an identity provider, see
Step 1: Create an Identity Provider.)
Procedure
If you configure identity conversion rules by clicking Create Rule, IAM converts
the rule parameters to the JSON format. Alternatively, you can click Edit Rule to
configure rules in the JSON format. For details, see Syntax of Identity Conversion
Rules.
● Creating a Rule
a. Choose Identity Providers from the navigation pane.
b. In the identity provider list, click Modify in the row containing the
identity provider.
c. In the Identity Conversion Rules area, click Create Rule. Then, configure
the rule in the Create Rule dialog box.
▪ Username: FederationUser-IdP_admin
On the Identity Providers page of the IAM console, click View in the row
containing the identity provider. Copy the login link displayed on the identity
provider details page, open the link using a browser, and then enter the username
and password used in the enterprise management system.
Step 2 Check that the federated user has the permissions assigned to the user group to
which the user belongs.
For example, an identity conversion rule has defined full permissions for all cloud
services for federated user ID1 in the admin user group. On the management
console, select any cloud service, and check if you can access the service.
----End
Related Operations
Viewing identity conversion rules: Click View Rule on the Modify Identity
Provider page. The identity conversion rules are displayed in the JSON format. For
details about the JSON format, see Syntax of Identity Conversion Rules.
NOTE
If no login link has been configured in your enterprise management system, federated users
in your enterprise can log in to HUAWEI CLOUD through the HUAWEI CLOUD login page.
For details, see Logging In as a Federated User.
Prerequisites
● An identity provider has been created, and the login link of the identity
provider is accessible. (For details about how to create and verify an identity
provider, see Step 1: Create an Identity Provider.)
● The login link of the identity provider has already been configured in the
enterprise management system for logging in to HUAWEI CLOUD.
Procedure
Step 1 Log in to the IAM console, and choose Identity Providers from the navigation
pane.
Step 4 Add the following statement to the page file of the enterprise management
system:
<a href="<Login link>"> HUAWEI CLOUD Login </a>
Step 5 Log in to the enterprise management system, and then click the configured
HUAWEI CLOUD login link to access HUAWEI CLOUD.
----End
Parameter description:
● local: Identity information of a federated user mapped to IAM. The value of
this field can contain placeholders, such as {0...n}. The attributes {0} and {1}
represent the first and second remote attributes of the user information,
respectively.
● remote: Information about a federated user of the identity provider. This field
is an expression consisting of assertion attributes and operators. The value of
this field is determined by the assertion.
– condition: Conditions for the identity conversion rule to take effect. The
following three types of conditions are supported:
NOTICE
The user information mapped to IAM can only contain letters, digits, spaces,
hyphens (-), underscores (_), and periods (.), and cannot start with a digit.
"type": "FirstName"
},
{
"type": "LastName"
},
{
"type": "Groups"
}
]
}
]
If the following assertion is received, the username of the federated user will
be John Smith and the user will belong to the admin and manager groups.
{FirstName: John}
{LastName: Smith}
{Groups: [admin, manager]}
Examples of the "any one of" and "not any of" Conditions
Unlike the empty condition, the any one of and not any of conditions return
Boolean values. These values will not be used to replace the local attributes. In the
following example, only {0} will be replaced by the returned value of the first
empty condition in the remote block. The value of group is fixed as admin.
● The username of the federated user in IAM is the value of the first remote
attribute, that is, UserName. The federated user belongs to the admin group.
This rule takes effect only for users who are members of the idp_admin
group in the identity provider.
[
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"group": {
"name": "admin"
}
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "Groups",
"any_one_of": [
"idp_admin"
]
}
]
}
]
● If a federated user will belong to multiple user groups in IAM, the identity
conversion rule can be configured as follows:
The username of the federated user in IAM is the value of the first remote
attribute, that is, UserName. The federated user belongs to the admin and
manager groups. This rule takes effect only for users who are members of the
idp_admin group in the identity provider.
[
{
"local": [
{
"user": {
"name": "{0}"
}
},
{
"groups": "[\"admin\",\"manager\"]"
}
],
"remote": [
{
"type": "UserName"
},
{
"type": "Groups",
"any_one_of": [
"idp_admin"
]
}
]
}
]
– The following assertion indicates that the federated user John Smith is a
member of the idp_admin group. Therefore, the user can access HUAWEI
CLOUD.
{UserName: John Smith}
{Groups: [idp_user, idp_admin, idp_agency]}
– The following assertion indicates that the federated user John Smith is
not a member of the idp_admin group. Therefore, the rule does not take
effect for the user and the user cannot access HUAWEI CLOUD.
{UserName: John Smith}
{Groups: [idp_user, idp_agency]}
"regex": true
}
]
}
]
{
"type": "Groups",
"not_any_of": [
"idp_user",
"idp_agent"
]
}
]
}
]
The name of a federated user will be the username matched in the first rule that
takes effect, and the user will belong to all groups matched in all rules that take
effect. A federated user can log in only if at least one rule takes effect to match
the username. For easy understanding, username and user group rules can be
configured separately.
In the following example, the rules take effect for users in the idp_admin group.
The username of each applicable federated user is UserName in IAM and the user
belongs to the admin group.
[
{
"local": [
{
"user": {
"name": "{0}"
}
}
],
"remote": [
{
"type": "UserName"
}
]
},
{
"local": [
{
"group": {
"name": "admin"
}
}
],
"remote": [
{
"type": "Groups",
"any_one_of": [
"idp_admin"
]
}
]
}
]
The following assertion indicates that user John Smith is a member of the
idp_admin group in the identity provider and therefore meets the rules. The
username of this user will be John Smith in IAM, and the user will belong to the
admin group.
NOTE
If your enterprise IdP is compatible with SAML or OpenID Connect, configure federated
identity authentication to enable users in your enterprise to access HUAWEI CLOUD
through SSO.
Prerequisites
● Your enterprise has an enterprise management system.
● You have registered an account (for example, DomainA) in HUAWEI CLOUD
as an enterprise administrator and has created a user group (for example,
GroupC) and assigned it the Agent Operator role. (For details, see Creating
a User Group and Assigning Permissions.)
Procedure
Step 1 Use the DomainA account to create an IAM user (for example, UserB) and add
the user to GroupC by following the instructions in Adding Users to a User
Group.
NOTE
Ensure that the IAM user can programmatically access HUAWEI CLOUD services. For
details about how to change the access type, see Viewing or Modifying IAM User
Information.
Step 2 Configure the access key (recommended) or username and password of UserB in
the configuration file of your enterprise IdP so that the user can obtain a token for
calling APIs. For account security, encrypt the password and access key before you
store them.
Step 3 In the navigation pane of the IAM console, choose Agencies. Then, click Create
Agency in the upper right corner.
Step 4 Set agency parameters.
For example, set the agency name to testagency, agency type to Account, and
delegated account to DomainA. Set the validity period and click Next.
Step 5 Set the authorization scope, and select the permissions you want to grant to the
agency.
Step 6 In the enterprise IdP, create a user group named testagency (same as the name
of the agency created in Step 4), add local users to the group, and grant the users
permissions to log in to HUAWEI CLOUD through a custom identity broker. For
details, see the documentation of the enterprise IdP.
Step 7 After a user logs in to the enterprise management system, the user can access the
custom identity broker of the enterprise IdP by selecting an agency from the
agency list. The user can obtain the agency from the security administrator or root
user. For details, see the documentation of the enterprise management system.
NOTE
The agencies of the identity broker must exist in HUAWEI CLOUD and have the same
names as some user groups created in the enterprise IdP.
Step 8 The custom identity broker uses the token of userB to call the API POST /
v3.0/OS-CREDENTIAL/securitytokens used to obtain a temporary securityToken.
For details, see Obtaining a Temporary Access Key and SecurityToken Through
an Agency.
NOTE
Step 9 The custom identity broker uses the temporary access key, securityToken, and
global domain name of IAM (iam.myhuaweicloud.com) to call the API POST /
v3.0/OS-AUTH/securitytoken/logintokens for obtaining a loginToken. The value
of X-Subject-LoginToken in the response header is a loginToken. For details, see
Obtaining a LoginToken.
NOTE
Step 10 The custom identity broker generates a FederationProxyUrl and returns it to the
browser through Location. The FederationProxyUrl will be in the following format:
https://auth.huaweicloud.com/authui/federation/login?
idp_login_url={enterprise_system_loginURL}&service={console_service_region_url}&
logintoken={logintoken}
Example:
https://auth.huaweicloud.com/authui/federation/login?idp_login_url=https
%3A%2F%2Fexample.com&service=https%3a%2f
%2fconsole.huaweicloud.com%2fapm%2f%3fregion%3dcn-
north-4%23%2fapm%2fatps%2ftopology&logintoken=******
Parameter Description
For details about how to create a FederationProxyUrl, view the example provided
in Creating a FederationProxyUrl Using an Agency.
NOTE
The FederationProxyUrl contains the loginToken that has been obtained from IAM, and is
percent-encoded.
----End
// Use the domain ID (account ID), AK, and SK of userB to initialize the specified IAM client
"{Service}Client". For details about how to create userB, see section "Creating an IAM User".
IamClient iamClient = IamClient.newBuilder().withCredential(new GlobalCredentials()
.withDomainId("domainId")
.withAk("ak")
.withSk("sk"))
.withEndpoint(endpoint)
.withHttpConfig(config)
.build();
/*CreateTemporaryAccessKeyByAgency
Call the API used to obtain a temporary access key and securityToken with an agency.
The default validity period of an access key and securityToken is 900 seconds, that is, 15 minutes. The value
ranges from 15 minutes to 24 hours. In this example, the validity period is set to 3600 seconds, that is, 1
hour.
When you obtain a loginToken with a specified validity period, ensure that the validity period of the
loginToken is not greater than the remaining validity period of the securityToken.
*/
IdentityAssumerole identityAssumerole = new IdentityAssumerole().
withAgencyName("testagency").withDomainId("0525e2c87exxxxxxx").withSessionUser(new
AssumeroleSessionuser().withName("ExternalUser")).withDurationSeconds(3600);
AgencyAuth agencyAuth = new AgencyAuth().withIdentity(new
AgencyAuthIdentity().withAssumeRole(identityAssumerole).
withMethods(Collections.singletonList(AgencyAuthIdentity.MethodsEnum.fromValue("assume_role"))));
CreateTemporaryAccessKeyByAgencyRequestBody createTemporaryAccessKeyByAgencyRequestBody = new
CreateTemporaryAccessKeyByAgencyRequestBody().withAuth(agencyAuth);
CreateTemporaryAccessKeyByAgencyResponse createTemporaryAccessKeyByAgencyResponse =
iamClient.createTemporaryAccessKeyByAgency(new
CreateTemporaryAccessKeyByAgencyRequest().withBody(createTemporaryAccessKeyByAgencyRequestBody));
Credential credential = createTemporaryAccessKeyByAgencyResponse.getCredential();
/*CreateLoginToken
Obtain a loginToken.
LoginTokens are issued to users to log in through custom identity brokers. Each loginToken contains identity
and session information of a user.
To log in to a cloud service console using a custom identity broker URL, call this API to obtain a loginToken
for authentication.
The default validity period of a loginToken is 600 seconds, that is, 10 minutes. The value ranges from 10
minutes to 12 hours. In this example, the validity period is set to 1800 seconds, that is, half an hour.
Ensure that the validity period of the loginToken is not greater than the remaining validity period of the
securityToken.
When obtaining a securityToken with an agency, set the session_user.name parameter in the request body.
*/
CreateLoginTokenRequestBody createLoginTokenRequestBody = new CreateLoginTokenRequestBody().
withAuth(new LoginTokenAuth().withSecuritytoken(new LoginTokenSecurityToken().
withAccess(credential.getAccess()).
withId(credential.getSecuritytoken()).
withSecret(credential.getSecret()).withDurationSeconds(1800)));
CreateLoginTokenResponse createLoginTokenResponse = iamClient.createLoginToken(new
CreateLoginTokenRequest().withBody(createLoginTokenRequestBody));
String loginToken = createLoginTokenResponse.getXSubjectLoginToken();
import urllib
# Use the domain ID (account ID), AK, and SK of userB to initialize the specified IAM client
"{Service}Client". For details about how to create userB, see section "Creating an IAM User".
client = IamClient().new_builder(IamClient) \
.with_http_config(config) \
.with_credentials(credentials) \
.with_endpoint(endpoint) \
.build()
# CreateTemporaryAccessKeyByAgency
# Call the API used to obtain a temporary access key and securityToken with an agency.
# The default validity period of an access key and securityToken is 900 seconds, that is, 15 minutes. The
value ranges from 15 minutes to 24 hours. In this example, the validity period is set to 3600 seconds, that
is, 1 hour.
# When you obtain a loginToken with a specified validity period, ensure that the validity period of the
loginToken is not greater than the remaining validity period of the securityToken.
# When obtaining a securityToken with an agency, set the session_user.name parameter in the request
body.
assume_role_session_user = AssumeroleSessionuser(name="ExternalUser")
identity_assume_role = IdentityAssumerole(agency_name="testagency",
domain_id="0525e2c87exxxxxxx",
session_user=assume_role_session_user,
duration_seconds=3600)
identity_methods = ["assume_role"]
body = CreateTemporaryAccessKeyByAgencyRequestBody(
AgencyAuth(AgencyAuthIdentity(methods=identity_methods, assume_role=identity_assume_role)))
request = CreateTemporaryAccessKeyByAgencyRequest(body)
create_temporary_access_key_by_agency_response = client.create_temporary_access_key_by_agency(request)
credential = create_temporary_access_key_by_agency_response.credential
# CreateLoginToken
# Obtain a loginToken.
# The default validity period of a loginToken is 600 seconds, that is, 10 minutes. The value ranges from 10
minutes to 12 hours. In this example, the validity period is set to 1800 seconds, that is, half an hour.
# Ensure that the validity period of the loginToken is not greater than the remaining validity period of the
securityToken.
login_token_security_token = LoginTokenSecurityToken(access=credential.access, secret=credential.secret,
id=credential.securitytoken, duration_seconds=1800)
body = CreateLoginTokenRequestBody(LoginTokenAuth(login_token_security_token))
request = CreateLoginTokenRequest(body)
create_login_token_response = client.create_login_token(request)
login_token = create_login_token_response.x_subject_login_token
NOTE
If your enterprise IdP is compatible with SAML or OpenID Connect, configure federated
identity authentication to enable users in your enterprise to access HUAWEI CLOUD
through SSO.
Prerequisites
● Your enterprise has an enterprise management system.
● You have registered an account (for example, DomainA) in HUAWEI CLOUD
as an enterprise administrator.
Procedure
Step 1 Use the DomainA account to create an IAM user (for example, UserB) by
following the instructions in Creating an IAM User.
Step 2 (Optional) Add UserB to a user group (for example, GroupC) and grant
permissions to the user group by following the instructions in Creating a User
Group and Assigning Permissions.
Step 3 Configure the access key (recommended) or username and password of UserB in
the configuration file of your enterprise IdP so that the user can obtain a user
token. For account security, encrypt the password and access key before you store
them.
Step 4 Log in to the enterprise management system, access the custom identity broker by
selecting a common user from the user list. For details, see the documentation of
the enterprise management system. For this example, select user UserB created in
2.
NOTE
The user list of the custom broker is the same as the IAM user list under your HUAWEI
CLOUD account. To align these IAM users with the user accounts in your enterprise,
configure the IAM users' access keys (recommended) or usernames and passwords in the
configuration file of the enterprise IdP.
Step 5 The custom identity broker uses the token of userB to call the API POST /
v3.0/OS-CREDENTIAL/securitytokens used to obtain a temporary access key and
securityToken. For details, see Obtaining a Temporary Access Key and
SecurityToken Through a Token.
Step 6 The custom identity broker uses the temporary access key, securityToken, and
global domain name of IAM (iam.myhuaweicloud.com) to call the API POST /
v3.0/OS-AUTH/securitytoken/logintokens for obtaining a loginToken. The value
of X-Subject-LoginToken in the response header is a loginToken. For details, see
Obtaining a LoginToken.
NOTE
Step 7 The custom identity broker generates a FederationProxyUrl and returns it to the
browser through Location.
https://auth.huaweicloud.com/authui/federation/login?
idp_login_url={enterprise_system_loginURL}&service={console_service_region_url}&logintoken={logintoken}
Example:
https://auth.huaweicloud.com/authui/federation/login?idp_login_url=https%3A%2F
%2Fexample.com&service=https%3a%2f%2fconsole.huaweicloud.com%2fapm%2f%3fregion%3dcn-
north-4%23%2fapm%2fatps%2ftopology&logintoken=******
Parameter Description
For details about how to create a FederationProxyUrl, view the example provided
in Creating a FederationProxyUrl Using a Token.
NOTE
The FederationProxyUrl contains the loginToken that has been obtained from IAM, and the
value of each parameter in the FederationProxyUrl is encoded using URLEncode.
----End
// Use the domain ID (account ID), AK, and SK of userB to initialize the specified IAM client
"{Service}Client". For details about how to create userB, see section "Creating an IAM User".
IamClient iamClient = IamClient.newBuilder().withCredential(new GlobalCredentials()
.withDomainId(domainId)
.withAk(ak)
.withSk(sk))
.withEndpoint(endpoint)
.withHttpConfig(config)
.build();
/*CreateTemporaryAccessKeyByToken
Call the API used to obtain a temporary access key and securityToken with a token.
The default validity period of an access key and securityToken is 900 seconds, that is, 15 minutes. The value
ranges from 15 minutes to 24 hours. In this example, the validity period is set to 3600 seconds, that is, 1
hour.
When you obtain a loginToken with a specified validity period, ensure that the validity period of the
loginToken is not greater than the remaining validity period of the securityToken.
*/
TokenAuthIdentity tokenAuthIdentity = new
TokenAuthIdentity().withMethods(Collections.singletonList(TokenAuthIdentity.MethodsEnum.fromValue("tok
en"))).withToken(new IdentityToken().withDurationSeconds(3600));
CreateTemporaryAccessKeyByTokenRequestBody createTemporaryAccessKeyByTokenRequestBody = new
CreateTemporaryAccessKeyByTokenRequestBody().withAuth(new
TokenAuth().withIdentity(tokenAuthIdentity));
CreateTemporaryAccessKeyByTokenResponse createTemporaryAccessKeyByTokenResponse =
iamClient.createTemporaryAccessKeyByToken(new
CreateTemporaryAccessKeyByTokenRequest().withBody(createTemporaryAccessKeyByTokenRequestBody));
Credential credential = createTemporaryAccessKeyByTokenResponse.getCredential();
/*CreateLoginToken
Obtain a loginToken.
LoginTokens are issued to users to log in through custom identity brokers. Each loginToken contains identity
and session information of a user.
To log in to a cloud service console using a custom identity broker URL, call this API to obtain a loginToken
for authentication.
The default validity period of a loginToken is 600 seconds, that is, 10 minutes. The value ranges from 10
minutes to 12 hours. In this example, the validity period is set to 1800 seconds, that is, half an hour.
Ensure that the validity period of the loginToken is not greater than the remaining validity period of the
securityToken.
*/
CreateLoginTokenRequestBody createLoginTokenRequestBody = new CreateLoginTokenRequestBody().
withAuth(new LoginTokenAuth().withSecuritytoken(new LoginTokenSecurityToken().
withAccess(credential.getAccess()).
withId(credential.getSecuritytoken()).
withSecret(credential.getSecret()).withDurationSeconds(1800)));
CreateLoginTokenResponse createLoginTokenResponse = iamClient.createLoginToken(new
CreateLoginTokenRequest().withBody(createLoginTokenRequestBody));
import urllib
# Use the domain ID (account ID), AK, and SK of userB to initialize the specified IAM client
"{Service}Client". For details about how to create userB, see section "Creating an IAM User".
client = IamClient().new_builder(IamClient) \
.with_http_config(config) \
.with_credentials(credentials) \
.with_endpoint(endpoint) \
.build()
# CreateTemporaryAccessKeyByToken
# Call the API used to obtain a temporary access key and securityToken with a token.
# The default validity period of an access key and securityToken is 900 seconds, that is, 15 minutes. The
value ranges from 15 minutes to 24 hours. In this example, the validity period is set to 3600 seconds, that
is, 1 hour.
# When you obtain a loginToken with a specified validity period, ensure that the validity period of the
loginToken is not greater than the remaining validity period of the securityToken.
identity_methods = ["token"]
identity_token = IdentityToken(duration_seconds=3600)
body = CreateTemporaryAccessKeyByTokenRequestBody(
TokenAuth(TokenAuthIdentity(methods=identity_methods, token=identity_token)))
request = CreateTemporaryAccessKeyByTokenRequest(body)
create_temporary_access_key_by_token_response = client.create_temporary_access_key_by_token(request)
credential = create_temporary_access_key_by_token_response.credential
# CreateLoginToken
# Obtain a loginToken.
# LoginTokens are issued to users to log in through custom identity brokers. Each loginToken contains
identity and session information of a user.
# To log in to a cloud service console using a custom identity broker URL, call this API to obtain a
loginToken for authentication.
# The default validity period of a loginToken is 600 seconds, that is, 10 minutes. The value ranges from 10
minutes to 12 hours. In this example, the validity period is set to 1800 seconds, that is, half an hour.
# Ensure that the validity period of the loginToken is not greater than the remaining validity period of the
securityToken.
login_token_security_token = LoginTokenSecurityToken(access=credential.access, secret=credential.secret,
id=credential.securitytoken, duration_seconds=1800)
body = CreateLoginTokenRequestBody(LoginTokenAuth(login_token_security_token))
request = CreateLoginTokenRequest(body)
create_login_token_response = client.create_login_token(request)
login_token = create_login_token_response.x_subject_login_token
MFA Authentication
Virtual MFA Device
Application Scenarios
MFA authentication is suitable for login protection and critical operation
protection.
● Login protection: When you or an IAM under your account logs in to the
console, you and the user need to enter a verification code in addition to the
username and password.
● Operation protection: When you or an IAM under your account attempts to
perform a critical operation, such as deleting an ECS resource, you and the
user need to enter a verification code to proceed.
For more information about login protection and critical operation protection, see
Critical Operation Protection.
Step 2 Click the Critical Operations tab, and click Bind next to Virtual MFA Device.
Step 3 Set up the MFA application by scanning the QR code or manually entering the
secret key.
You can bind a virtual MFA device to your account by scanning the QR code or
entering the secret key.
The manual entry function is time-based. Ensure that automatic time setup has been
enabled on your mobile phone.
Step 4 View the verification code on the MFA application. The code is automatically
updated every 30 seconds.
Step 5 On the Bind Virtual MFA Device page, enter two consecutive verification codes
and click OK.
----End
Open the MFA application on your smart device, view the verification code
displayed next to your account, and then enter the code on the console.
● IAM user: If the mobile phone of an IAM user is unavailable or the virtual
MFA device has been deleted from the phone, the user can request the
administrator to remove the virtual MFA device.
● Account administrator: If the mobile phone associated with the account is
unavailable or the virtual MFA device has been deleted from the phone, the
account administrator can contact customer service to remove the virtual
MFA device.
Step 2 Click the Critical Operations tab, and click Unbind next to Virtual MFA Device.
Step 3 On the Unbind Virtual MFA Device page, enter a verification code generated by
the MFA application.
----End
If the mobile phone of an IAM user is unavailable or the virtual MFA device has
been deleted from the user's phone, as an administrator, you can remove the
virtual MFA device by performing the following procedure:
Step 2 On the Users page, click Security Settings in the row containing the user for
whom you want to remove the bound virtual MFA device.
Step 3 On the Security Settings tab page, click Remove next to Virtual MFA Device.
----End
Enabling CTS
Viewing IAM Audit Logs
Procedure
Step 1 Log in to the management console.
Step 2 If you log in to HUAWEI CLOUD using an account, go to 3. If you log in as an IAM
user, request the administrator to grant you the following permissions:
● Security Administrator
● CTS FullAccess
For details, see Assigning Permissions to an IAM User.
Step 3 Choose Service List > Management & Governance > Cloud Trace Service.
● When using CTS, you must have the required permissions for relevant operations, but do
not need to be granted the Security Administrator role again.
● After you enable CTS, the system automatically creates two trackers to record
management traces, that is, operations (such as creation, login, and deletion) performed
on all cloud resources.
– In the current region, a tracker is created to record management traces of all
project-level services deployed in this region.
– In the CN-Hong Kong region, a tracker is created to record management traces of
all global services, such as IAM.
----End
CTS records all operations performed on IAM, such as creating users and user
groups. Table 12-1 shows the IAM operations that can be recorded by CTS.
Procedure
Step 1 On the IAM console, perform an operation, such as creating a user named CTS-
Test.
Step 2 Log in to the CTS console and view the operation records of IAM.
NOTE
IAM is a global service, and the operations on IAM will be recorded by CTS under the CN-
Hong Kong project by default. On the CTS console, switch to the CN-Hong Kong region
and then view IAM operation records.
Step 4 Click View Trace on the right of a trace to view the trace structure.
----End
13 Quotas
What Is a Quota?
A quota is a limit on the quantity or capacity of a certain type of service resources
that a user can use. For example, the maximum number of IAM users or user
groups that you can create.
If the current resource quota cannot meet your service requirements, you can
apply for a higher quota.
2. Click in the upper left corner and select a region and project.
3. In the upper right corner of the page, choose Resources > My Quotas.
The Service Quota page is displayed.
4. On the Service Quota page, view the used and total quotas of each type of
resources.
If the quota cannot meet your service requirements, increase the quota.
2. In the upper right corner of the page, choose Resources > My Quotas.
The Service Quota page is displayed.
14 Change History
Released On Description
Released On Description